Javascript not enabled

Name:ID:

Email:

Test 2 Chapters 3 - 4

True/FalseIndicate whether the
statement is true or false.

1.

The Computer Security Act of 1987 is the cornerstone of many computer-related
federal laws and enforcement efforts; it was originally written as an extension and clarification of
the Comprehensive Crime Control Act of 1984.

2.

Cultural differences can make it difficulty to determine what is ethical and is
not ethical between cultures, except when it comes to the use of computers, where ethics are
considered universal.

3.

The Council of Europe Convention on Cyber-Crime has not been well received by
advocates of intellectual property rights because it de-emphasizes prosecution for copyright
infringement, but has been well received by supporters of individual rights in the U.S.

. Laws, policies and their associated penalties only provide deterrence if
offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are
caught.

6.

Individuals with authorization and privileges to manage information within the
organization are most likely to cause harm or damage by accident.

7.

Due care and due diligence require that an organization make a valid effort to
protect others and continually maintain this level of effort, ensuring these actions are
effective.

8.

Unethical and illegal behavior is generally caused by ignorance (of policy
and/or the law), by accident, and by inadequate protection mechanisms.

9.

The United States has implemented a version of the DMCA law called the Database
Right, in order to comply with Directive 95/46/EC.

10.

The key difference between laws and ethics is that ethics carry the authority of
a governing body and laws do not.

11.

The NSA is responsible for signal intelligence, information assurance products
and services, and enabling computer network operations to gain a decision advantage for the US and
its allies under all circumstances.

12.

For policy to become enforceable it only needs to be distributed, read,
understood, and agreed to.

13.

Key studies reveal that legal penalties are the overriding factor in
leveling ethical perceptions within a small population.

14.

Since it was established in January 2001, every FBI field office has
established an InfraGard program to collaborate with public and private organizations and the
academic community.

15.

The difference between a policy and a law is that ignorance of a law is an
acceptable defense.

16.

Criminal laws addresses activities and conduct harmful to society and is
categorized as private or public.

17.

The Secret Service is charged with safeguarding the nation’s financial
infrastructure and payments systems to preserve the integrity of the economy.

18.

Studies on ethics and computer use reveal that people of different nationalities
have different perspectives; difficulties arise when one nationality’s ethical behavior
violates the ethics of another national group.

19.

In the context of information security, confidentiality is the right of the
individual or group to protect themselves and their information from unauthorized access.

20.

Employees are not deterred by the potential loss of certification or
professional accreditation resulting from a breach of a code of conduct as this loss has no effect on
employees' marketability and earning power.

21.

The Department of Homeland Security is the only U.S. federal agency charged with
the protection of American information resources and the investigation of threats to, or attacks on,
the resources.

22.

Database shadowing duplicates data in real-time data storage, but does not
backup the databases at the remote site.

23.

A disaster recovery plan is a plan that shows the organization’s intended
efforts to restore operations at the original site in the aftermath of a disaster.

24.

An attack, breach of policy, or other incident always constitutes a violation of
law, requiring notification of law enforcement.

25.

A standard is a plan or course of action that conveys instructions from an
organization’s senior management to those who make decisions, take actions, and perform other
duties.

26.

Failure to develop an information security system based on the
organization’s mission, vision, and culture guarantees the failure of the information security
program.

27.

The policy administrator is responsible for the creation, revision,
distribution, and storage of the policy.

28.

ISO/IEC 17799 is widely considered more useful than any other information
security management approach.

29.

Good security programs begin and end with policy.

30.

You can create a single comprehensive ISSP document covering all information
security issues.

31.

To remain viable, security policies must have a responsible individual, a
schedule of reviews, a method for making recommendations for reviews, and a policy issuance and
planned revision date.

32.

Administrative controls guide the development of education, training, and
awareness programs for users, administrators, and management.

33.

NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans
for Federal Information Systems, includes templates for major application security plans,
and provides detailed methods for assessing, designing, and implementing controls and plans for
applications of varying size.

34.

To achieve defense in depth, an organization must establish multiple layers of
security controls and safeguards.

35.

The global information security community has universally agreed with the
justification for the code of practices as identified in the ISO/IEC 17799.

36.

The security framework is a more detailed version of the security
blueprint.

37.

Management controls address the design and implementation of the security
planning process and security program management.

38.

A managerial guidance SysSPdocument is created by the IT experts in a company to
guide management in the implementation and configuration of technology.

39.

The ISSP sets out the requirements that must be met by the information security
blueprint or framework.

40.

A policy should state that if employees violate a company policy or any law
using company technologies, the company will protect them, and the company is liable for the
employee’s actions.

41.

In 2014, NIST published a new Cybersecurity Framework to create a mandatory
framework for managing cybersecurity risk for the delivery of critical infrastructure services, based
on vendor-specific technologies.

Every member of the organization's InfoSec department must have a formal
degree or certification in information security.

44.

A cold site provides many of the same services and options of a hot site, but at
a lower cost.

45.

Each policy should contain procedures and a timetable for periodic
review.

46.

ACLs are more specific to the operation of a system than rule-based policies and
they may or may not deal with users directly.

47.

Disaster recovery personnel must know their roles without supporting
documentation, which is a function of preparation, training and rehearsal.

48.

Hot swapping is a RAID implementation (typically referred to as RAID Level 1) in
which the computer records all data to twin drives simultaneously, providing a backup if the primary
drive fails.

49.

Security training provides detailed information and hands-on instruction to
employees to prepare them to perform their duties securely.

50.

NIST 800-14's Principles for Securing Information Technology Systems, can
be used to make sure the needed key elements of a successfuleffort are factored into the
design of an information security program and to produce a blueprint for an effective security
architecture.

51.

Many industry observers claim that ISO/IEC 17799, the precursor to ISO/IEC
27001, is not as complete as other frameworks.

Multiple ChoiceIdentify the
choice that best completes the statement or answers the question.

52.

Which of the following acts is also widely known as the Gramm-Leach-Bliley
Act?

a.

Financial Services Modernization Act

c.

Computer Security
Act

b.

Communications Act

d.

Health Insurance Portability and Accountability Act

53.

The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee a
range of security functions associated with __________ activities.

a.

online terrorist

c.

cyberactivist

b.

electronic commerce

d.

Internet

54.

What is the subject of the Computer Security Act?

a.

Federal Agency Information Security

c.

Cryptography Software
Vendors

b.

Telecommunications Common Carriers

d.

Banking
Industry

55.

What is the subject of the Sarbanes-Oxley Act?

a.

Banking

c.

Privacy

b.

Financial Reporting

d.

Trade secrets

56.

According to the National Information Infrastructure Protection Act of 1996, the
severity of the penalty for computer crimes depends on the value of the information obtained and
whether the offense is judged to have been committed for each of the following except
__________.

a.

for purposes of commercial advantage

c.

to harass

b.

for private
financial gain

d.

in
furtherance of a criminal act

57.

. __________ law regulates the structure and administration of government
agencies and their relationships with citizens, employees, and other governments.

a.

Public

c.

Civil

b.

Private

d.

Criminal

58.

Which of the following acts is a collection of statutes that regulate the
interception of wire, electronic, and oral communications?

a.

Electronic Communications Privacy Act

c.

Sarbanes-Oxley
Act

b.

Financial Services Modernization Ac

d.

Economic Espionage
Act

59.

Which of the following acts defines and formalizes laws to counter threats from
computer related acts and offenses?

a.

Electronic Communications Privacy Act of 1986

c.

Computer Fraud and Abuse Act of
1986

b.

Freedom of Information Act (FOIA) of 1966

d.

Federal Privacy Act of
1974

60.

Individuals with authorization and privileges to manage information within the
organization are most likely to cause harm or damage __________.

a.

with intent

c.

with malice

b.

by accident

d.

with negligence

61.

Which of the following countries reported the least tolerant attitudes toward
personal use of organizational computing resources?

a.

Australia

c.

Singapore

b.

United States

d.

Sweden

62.

Laws and policies and their associated penalties only deter if which of the
following conditions is present?

a.

Fear of penalty

c.

Probability of penalty being administered

b.

Probability of being
caught

d.

All of the
above

63.

The __________ attempts to prevent trade secrets from being illegally
shared.

a.

Electronic Communications Privacy Act

c.

Financial Services Modernization
Act

b.

Sarbanes-Oxley Act

d.

Economic Espionage Act

64.

The Privacy of Customer Information Section of the common carrier regulation
states that any proprietary information shall be used explicitly for providing services, and not for
any __________ purposes.

a.

troubleshooting

c.

customer service

b.

billing

d.

marketing

65.

The __________ of 1999 provides guidance on the use of encryption and provides
protection from government intervention.

a.

Prepper Act

c.

USA PATRIOT Act

b.

Economic Espionage Act

d.

Security and Freedom through Encryption
Act

66.

The Health Insurance Portability and Accountability Act Of 1996, also known as
the __________ Act, protects the confidentiality and security of health care data by establishing and
enforcing standards and by standardizing electronic data interchange.

a.

Gramm-Leach-Bliley

c.

Privacy

b.

Kennedy-Kessebaum

d.

HITECH

67.

Criminal or unethical __________ goes to the state of mind of the
individual performing the act.

a.

attitude

c.

accident

b.

intent

d.

ignorance

68.

The National Information Infrastructure Protection Act of 1996 modified which
Act?

a.

USA PATRIOT Act

c.

Computer Security Act

b.

USA PATRIOT
Improvement and Reauthorization Act

d.

Computer Fraud and Abuse Act

69.

The Computer __________ and Abuse Act of 1986 is the cornerstone of many
computer-related federal laws and enforcement efforts.

a.

Violence

c.

Theft

b.

Fraud

d.

Usage

70.

__________ law comprises a wide variety of laws that govern a nation or
state.

a.

Criminal

c.

Public

b.

Civil

d.

Private

71.

The __________ defines stiffer penalties for prosecution of terrorist
crimes.

a.

USA PATRIOT Act

c.

Gramm-Leach-Bliley Act

b.

Sarbanes-Oxley
Act

d.

Economic Espionage
Act

72.

According to NIST SP 800-14's security principles, security should
________.

a.

support the mission of the organization

c.

be
cost-effective

b.

require a comprehensive and integrated approach

d.

All of the
above

73.

__________ is a strategy for the protection of information assets that uses
multiple layers and different types of controls (managerial, operational, and technical) to provide
optimal protection.

a.

Networking

c.

Defense in depth

b.

Proxy

d.

Best-effort

74.

_________ controls address personnel security, physical security, and the
protection of production inputs and outputs.

a.

Informational

c.

Operational

b.

Technical

d.

Managerial

75.

RAID is an acronym for a __________ array of independent disk drives that
stores information across multiple units to spread out data and minimize the impact of a single drive
failure.

a.

replicated

c.

random

b.

resistant

d.

redundant

76.

The CPMT conducts the BIA in three stages. Which of the following is NOT
one of those stages?

a.

Determine mission/business processes and recovery criticality

c.

Identify resource
requirements

b.

Identify recovery priorities for system resources

d.

All of these are BIA
stages

77.

Standards may be published, scrutinized, and ratified by a group, as in formal
or ________standards.

a.

de formale

c.

de jure

b.

de public

d.

de facto

78.

The spheres of security are the foundation of the security framework and
illustrate how information is under attack from a variety of sources, with far fewer protection
layers between the information and potential attackers on the __________ side of the
organization.

a.

technology

c.

people

b.

Internet

d.

operational

79.

The stated purpose of ISO/IEC 27002 is to “offer guidelines and
voluntary directions for information security __________."

a.

implementation

c.

management

b.

certification

d.

accreditation

80.

A(n) _________ is a document containing contact information for the people to be
notified in the event of an incident.

a.

emergency notification system

c.

phone list

b.

alert
roster

d.

call
register

81.

The transfer of large batches of data to an off-site facility, usually through
leased lines or services, is called ____.

a.

off-site storage

c.

electronic vaulting

b.

remote journaling

d.

database
shadowing

82.

Security __________ are the areas of trust within which users can freely
communicate.

a.

perimeters

c.

rectangles

b.

domains

d.

layers

83.

When BS 7799 first came out, several countries, including the United
States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems.
Which of the following is NOT one of those problems.

a.

The standard lacked the measurement precision associated with a technical
standard.

c.

The standard was hurriedly prepared given the tremendous impact its adoption
could have on industry information security controls.

b.

It was not as
complete as other frameworks.

d.

The global information security community had already defined a justification for
a code of practice, such as the one identified in ISO/IEC 17799.

84.

The goals of information security governance include all but which of the
following?

a.

Regulatory compliance by using information security knowledge and infrastructure to
support minimum standards of due care

________often function as standards or procedures to be used when configuring or
maintaining systems.

a.

ESSPs

c.

ISSPs

b.

EISPs

d.

SysSPs

86.

________ controls cover security processes that are designed by strategic
planners and implemented by the security administration of the organization.

a.

Managerial

c.

Operational

b.

Technical

d.

Informational

87.

A fundamental difference between a BIA and risk management is that risk
management focuses on identifying the threats, vulnerabilities, and attacks to determine which
controls can protect the information, while the BIA assumes __________.

a.

controls have been bypassed

c.

controls have
failed

b.

controls have proven ineffective

d.

All of the
above

88.

A security ________ is an outline of the overall information security strategy
for the organization and a roadmap for planned changes to the information security environment of the
organization.

a.

plan

c.

model

b.

framework

d.

policy

89.

Redundancy can be implemented at a number of points throughout the security
architecture, such as in ________.

a.

firewalls

c.

access controls

b.

proxy servers

d.

All of the
above

90.

SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems, provides best practices and security principles that can direct the security team
in the development of a security ________.

a.

plan

c.

policy

b.

standard

d.

blueprint

91.

The ________is based on and directly supports the mission, vision, and direction
of the organization and sets the strategic direction, scope, and tone for all security
efforts.

a.

SysSP

c.

GSP

b.

EISP

d.

ISSP

92.

The SETA program is a control measure designed to reduce the instances of
__________ security breaches by employees.

a.

intentional

c.

accidental

b.

external

d.

physical

93.

Incident _________ is the rapid determination of the scope of the breach of the
confidentiality, integrity, and availability of information and information assets during or just
following an incident.

a.

damage assessment

c.

incident response

b.

containment strategy

d.

disaster
assessment

94.

A ____ site provides only rudimentary services and facilities.

a.

commercial

c.

hot

b.

warm

d.

cold

95.

A(n) ________ plan is a plan for the organization’s intended strategic
efforts over the next several years.

a.

standard

c.

tactical

b.

operational

d.

strategic

96.

__________ is a strategy of using multiple types of technology that prevent the
failure of one system from compromising the security of information.

a.

Firewalling

c.

Redundancy

b.

Hosting

d.

Domaining

97.

In early 2014, in response to Executive Order 13636, NIST published
the Cybersecurity Framework that intends to allow organization to __________.

a.

identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process

c.

communicate among local, state and national agencies about
cybersecurity risk